Our clients appreciate the fact that we are involved in projects across a wide spectrum of industries becausewe bring insights from common challenges experienced by other industries that lead to innovative solutionsto their problems. A good example is alarm management which is a consideration in the design of almostevery kind of critical system. Although the details of alarm management may vary considerably betweentechnical domains, our approach to helping clients with alarm management is based on the same fundamentalconcepts and principles.

Thanks to Hollywood and movies such as The China Syndrome (1979), most of us have a sense of theadrenaline fueled drama of a control room during an emergency with alarm bells ringing and lights flashing. But helping a client develop a sound approach to alarm management goes well beyond thinking about therare moments of high drama.

For example, an operator could eventually become desensitized to a spurious alarm that is repeatedly triggeredby a faulty sensor and miss the significance of the alarm on the one day when there really is a need for urgentaction. To reduce the distraction of nuisance alarms, operators often have a means of suppressing an alarm. However, an ad hoc approach to alarm suppression can have dire consequences – as illustrated by the 1997 crash of a Korean Air 747 jetliner in which one of the Minimum Safe Altitude Warning (MSAW) alarms of theground-based equipment used by air traffic controllers had been modified in such a way that it would no longeralert controllers when an approaching aircraft was below the minimum safe altitude.

Our work on client projects has taken us into many different control rooms, such as the control room at CERNa short distance from Geneva Switzerland. CERN operators are responsible for eight different acceleratorsincluding the remarkable Large Hadron Collider (LHC). Less than 24 hours after participating in a meeting in theCERN control room building we watched, along with thousands of people around the world, therestart of the LHC in November 2009.

For some client projects we are asked to help with the development of an alarm management system. Otherclients have asked us to evaluate an existing approach to alarm management and provide recommendationsfor improvement. In either case, the starting point for this activity is usually to identify the purpose of alarms. In theory, every alarm should require a response by an operator. In practice, however, we see some alarmmanagement systems for which the primary purpose of alarms is to maintain situational awareness.

The theory and best practices of alarm management are not just applicable to control rooms staffed by anoperator sitting in front of an array of high resolution graphical displays. For example, the same fundamentalconcepts and principles are also applicable to the design of alarm management system for a futuristicpassenger vehicle which may rely on very different technology such as a “seat shaker” to get the attentionof a driver rather than ringing a chime or flashing a light on the dashboard.

The trend towards increasing automation and remote operation of critical systems brings an increasingimportance to alarm management. A physical tremor may have alerted Jack Lemmon’s character in theChina Syndrome to an abnormal condition in the nuclear power plant before any alarm was sounded. But if the operator of a critical system is hundreds or even thousands of miles away, he or she must relyon the alarm management system.

Helping clients address alarm management challenges is interesting work for us because it allows us tosimultaneously draw from a variety of experiences and areas of expertise. First of all, we need to determinethe relationship between abnormal states of the systems and potential hazards. Secondly, we mustunderstand the technology for detection of abnormal states - including the potential limitations of thistechnology. Thirdly, we must take into account human factors to ensure that alarms are effectivelycommunicated to operators.

An excellent resource for alarm management theory and practice is Alarm Management for ProcessControl by Douglas H. Rothenberg. We also depend on guidelines published by Engineering and EquipmentMaterials Users' Association, EEMUA 191. However, the best resource is the time we have spent observingoperators at work in control rooms across a variety of industries.

Cyber-Security and Safety for Aircraft and Aircraft Systems: DO-326A guidance
CSL has been an active member of the international committee, RTCA SC 216, charged with the responsibility of developing guidance material that will help ensure safe, secure and efficient operations amid the growing use of highly integrated electronic systems and network technologies used on-board aircraft, for CNS/ATM systems and air carrier operations and maintenance. Recent efforts of the committee have resulted in a revision of RTCA DO 326 “Airworthiness Security Process Specification” that was released on the RTCA web site in August 2014.
The guidance of DO-326A is intended to augment current guidance for aircraft certification to handle the information security (i.e., cybersecurity) threat to aircraft safety. In a nutshell, this new document describes a security engineering process that includes generic activities with corresponding compliance objectives.
The scope of DO-326A not only covers the...

EN ISO 14971 or not EN ISO 14971?The European community recognised EN ISO 14971:2012 in July 2012. EN ISO 14971:2012 supersedes EN ISO 14971:2009 which was based on ISO 14971:2007 ‘Medical devices - Application of risk management to medical devices’.In general, the EC committee felt that the application of ISO14971:2007 did not meet the Essential Requirements described in the European Medical Device Directive 93/42/EEC. Therefore the EC group reviewed ISO14971 to identify these areas in the standard that are not compliant with the MDD and formally document these deviations.EN ISO 14971:2012 applies only to manufacturers with devices intended for the European market; for the rest of the world, ISO 14971:2007 remains the standard recommended for risk management purposes.Standard outlineThis standard published* in 2012 is somewhat unusual in its layout: it includes three annexes located at the beginning of the document and then includes a copy of the 2007 corrected version of ISO...

FAA recognizes RTCA DO-178C and associated technical supplements (July 2013)The FAA published AC20-115C on July 19, 2013. In this AC, the FAA recognizes RTCA DO-178C, three associated technical supplements and the 'Software Tool Qualification Considerations' document.The actual documents that are the subject of this AC are the following RTCA documents:- DO-178C, Software Considerations in Airborne Systems and Equipment Certification- DO-330, Software Tool Qualification Considerations, dated December 13, 2011.- DO-331, Model-Based Development and Verification Supplement to DO178C and DO-278A,- DO-332, Object-Oriented Technology and Related Techniques Supplement to DO-178C and DO-278A- DO-333, Formal Methods Supplement to DO-178C and DO-278AIt has been a long awaited recognition since the release of RTCA DO-178C in December 2011. (In terms of comparison, RTCA DO-178B was endorsed by the FAA only one month after its publication).Similarly to the previous AC that it replaces, this new AC...

Correctness vs. SafetyOne of the examples that we regularly use in our training material is the catastrophic loss of Lufthansa Flight 2904 on September 14, 1993 when it ran off the end of the runway in Warsaw Poland. It is an interesting and very useful teaching example because it illustrates some of the main themes of the training that we regularly provide to clients on system/software safety. This accident is particularly effective as an introduction to the training material because students quickly realize that we are not simply talking about defect prevention or quality assurance.When an Airbus 320 lands, the crew relies on the combination of brakes, ground spoilers and reverse thrusters to slow the aircraft. However in the case of Flight 2904 the activation of all three of these critical systems was delayed such that the aircraft reached the end of the runway at a speed of 72 knots and hit an embankment resulting in 2 fatalities.The official investigation concluded that the...

Alarm Management Our clients appreciate the fact that we are involved in projects across a wide spectrum of industries becausewe bring insights from common challenges experienced by other industries that lead to innovative solutionsto their problems. A good example is alarm management which is a consideration in the design of almostevery kind of critical system. Although the details of alarm management may vary considerably betweentechnical domains, our approach to helping clients with alarm management is based on the same fundamentalconcepts and principles.Thanks to Hollywood and movies such as The China Syndrome (1979), most of us have a sense of theadrenaline fueled drama of a control room during an emergency with alarm bells ringing and lights flashing. But helping a client develop a sound approach to alarm management goes well beyond thinking about therare moments of high drama.For example, an operator could eventually become desensitized to a spurious alarm that is repeatedly...